Microsoft SharePoint Foundation 2010 introduces the concept of
Sandboxed Solutions, which are available in SharePoint Server, too.
Sandboxed Solutions are WSP solutions that can be uploaded and
deployed by authorized users at the Site Collection level, running
within a safe and limited execution context. All the Sandboxed
Solutions are stored in a dedicated solution gallery, which is
persisted in the content database of the current Site Collection.
Thus, backup and restore policies also gain the benefits of this
new capability. Moreover, versioning of Sandboxed Solutions is
easier to manage if compared with farm-level solutions, because you
simply need to upload a new version of the WSP package into the
Site Collection, using a web browser based interface, and invoke
the “Upgrade” action without the need to restart the application
pool of the target site.

Sandboxed Solutions can be monitored and validated by farm
administrators, giving them the ability to monitor memory
consumption, CPU execution time, exceptions count, database
queries, and so on. If a Sandboxed Solution deployed by a user
consumes too many resources, an administrator can deactivate it,
and avoid stressing the environment.

A Sandboxed Solution is executed in a dedicated .NET application
domain, which runs on a dedicated and isolated process with a
restricted set of permissions. When a front-end server receives a
request targeting a Sandboxed Solution, it utilizes an Execution
Manager engine, which routes the request to the SharePoint User
Code Service (SPUCHostService.exe). The User Code Service routes
the request to the target application domain, which runs in a
dedicated process called SPUCWorkerProcess.exe. Because every
Sandboxed Solution acts in a restricted environment, every request
targeting the SharePoint API will be routed to a third process
called SPUCWorkerProcessProxy.exe, which is responsible for
effectively invoking SharePoint. In the following figure you can
see a functional schema of the Sandboxed Solutions in SharePoint
2010.

Lastly, you can configure the farm to run Sandboxed Solutions in
either local or remote mode. In local mode, each Sandboxed Solution
runs on the front-end that receives the request; in remote mode,
each Sandboxed Solution runs on back-end application servers that
are dedicated to running Sandboxed Solutions. When using remote
mode, there is also a native load balancing engine that will route
requests to the least loaded server, if there are multiple
application servers.

The code executing within a Sandboxed Solution can use only a
limited subset of the available types and namespaces of the
SharePoint Server Object Model. This is done to avoid having users
deploying Trojan Horses. Moreover, a Sandboxed Solution by default
can deploy only a limited set of features, which do not require
direct access to the file system of the farm servers, do not need
to deploy files in the Global Assembly Cache (GAC), do not need to
modify the web.config files of the front-end servers, etc. For
example you can deploy a Site Column, a Content Type, a List
Definition, or Custom Actions, as well as many other features.
Nevertheless, you cannot deploy Application Pages, controls based
on custom ASCX, workflows based on code (i.e. those built within
Visual Studio 2010), farm-level solutions, etc.

The new Microsoft Office 365 offering proposed by Microsoft
includes a SharePoint 2010 Online edition with which you can use a
SharePoint environment offered as a service in the cloud. Sandboxed
Solutions can be used to extend and customize a SharePoint 2010
Online environment, too. Thus, this new capability of SharePoint
2010 is becoming very relevant for everyday development tasks and
you need to have a solid knowledge of Sandboxed Solutions if you
want to ride the future of SharePoint and of the cloud offering by
Microsoft.

In my last book about Microsoft SharePoint 2010 (“Microsoft
SharePoint 2010 Developer Reference”) you can find a more in
depth discussion about security in SharePoint 2010, Sandboxed
Solutions and SharePoint development in general.